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Method and Arrangement for Authenticating a Control Unit 
and Transmitting Authentication Information to the Control Unit 



The invention relates to a method and an arrangement for generating authentication 
5 information by means of which a data processing system performs an authentication 
of a control unit. The invention further relates to a method and an arrangement for 
authenticating a control unit of an electrophotographic printing or copying system. 

Known electrophotographic printers and copiers have communication interfaces over 
1 0 which the control units and maintenance computers can be linked with the printer or 
copier for purposes of control, diagnostic analysis, and maintenance. In particular, 
security related settings of the printer or copier can be changed with the aid of the 
maintenance computers. If such modifications are performed by insufficiently 
qualified operators or unauthorized persons, e.g. over a network connection, the result 
1 5 may be a significant quality degradation and damage or destruction of assemblies of 
the printer or copier. 



In the case of known printers and copiers, a number of so-called user levels are 
provided, whereby a user can select a user level and verifies his authorization to select 

20 this user level by inputting a password. Furthermore, with known printers and 

copiers, unauthorized persons may be able to acquire information about the structure 
and control structure of the printer or copier through unsecured access with the aid of 
the communication interface of the printer or copier. System parameters such as 
meter counts of the printer or copier, which may be used for billing purposes, can also 

25 be manipulated over the communication interface of known printers or copiers. 



The European Patent EP 0 513 549 A2 describes an arrangement for controlling and 
transmitting data between a host computer and a copier control, whereby the 
communication does not occur until the successful identification of the host computer 
30 with the aid of a password. A control unit for communication control is also 
provided. 




US 5,077,795 describes an electronic printing system in which the security of user 
data and user programs is ensured with the aid of a user profile for each user. The 
user profiles are managed by a security administrator on site or at a remote location. 

5 However, known access methods offer only an inadequate protection of the printer's 
internal data and settings. In particular, a substantial risk associated with passwords is 
that they can be spied out with the aid of program modules that record the keyboard 
inputs. Another security risk associated with passwords is that they must be delivered 
to the respective user, whereby it often cannot be guaranteed that unauthorized parties 

10 will not acquire knowledge of the passwords during the transmission and/or delivery 
of the passwords. Nor is there any guarantee that authorized parties will not 
disseminate the passwords to unauthorized parties. An effective local protection of 
known printers or copiers could only be achieved by preventing unauthorized parties 
from gaining physical access to the communication interface of the printer or copier. 

1 5 But in that case the print data could not be transmitted to the printer over a network 
that is also linked to global networks such as the Internet over which unauthorized 
parties also have access to the printer. But such measures also foreclose the 
possibility of remote maintenance, remote diagnostic analysis, or remote control of 
the printer by service specialists that are not on site. 

20 

The object of the invention is to propose a method and an arrangement with which it 
is easy to authenticate a data processing system. 

In connection with the method for authenticating a data processing system, the object 
25 is achieved by the features of claim 1. Advantageous developments of the invention 
are described in the subclaims. 

What a method for authenticating a data processing system with the features of patent 
claim 1 achieves, is that the second data are supplied to the second data processing 
30 system in a very secure fashion, and with the aid of the second data, the second data 
processing system generates authentication information with which an authentication 
procedure can be advantageously executed automatically without intervention by a 
human operator. 




A second aspect of the invention relates to an arrangement for authenticating a data 
processing system. A first data processing system generates first information. The 
first information is sent to a second data processing system of a control unit. The 
second data processing system generates first data with the aid of the first information 
5 and additional information that is contained in the second data processing system. 
The arrangement contains a data line over which first data are transmittable from the 
first data processing system to the second data processing system [sic]. The first data 
processing system generates second data depending on the first data. The second data 
are transmittable from the first data processing system to the second data processing 
10 system over the data line. With the aid of the second data, the second data processing 
system generates authentication information for authenticating the second data 
processing system. 

The effect of this inventive arrangement is that the generation and transmission of the 
1 5 second data for generating the authentication information by means of the second data 
processing system can be executed easily and without complex user intervention. 
Furthermore, because the second data processing system generates the authentication 
information with the aid of the second data, an authentication of the second data 
processing system by an additional data processing system and/or the first data 
20 processing system is easy to realize. 

A third aspect of the invention relates to a method for authenticating a control unit of 
an electrophotographic printing or copying system. First data are stored in a first data 
processing system of the control unit. The first data processing system generates 

25 authentication information with the aid of the first data. With the aid of 

authentication data the authentication information is transmitted to a second data 
processing system of the printing or copying system. The authenticity of the first data 
processing system is checked [or: validated] by the second data processing system. 
With the aid of the authentication data, access rights for the first data processing 

30 system are defined by the second data processing system. 

An authentication of the control unit and the defining of access rights of the control 
unit are very easy with this inventive method. Complicated and costly user 




interventions by a human operator are not required in order to authenticate the control 
unit. 

A fourth aspect of the invention relates to an arrangement for authenticating a control 
5 unit of an electrophotographic printing or copying system. First data are stored in a 
first data processing system of the control unit. The first data processing system 
generates authentication information with the aid of the first data. The first data 
processing system transmits authentication data to a second data processing system of 
the printing or copying system, which data contain the authentication information. 

10 The second data processing system checks the authenticity of the first data processing 
system, whereby it defines access rights of the first data processing system with the 
aid of the authentication data. With this inventive arrangement an authentication of 
the control unit can be executed very easily by the control unit of the printing or 
copying system. Such authentication does not require intervention by a human 

15 operator. Furthermore, with this arrangement a very secure authentication of the 
control unit is performed, and foreign [or: external] access to the data processing 
system of the printing or copying system is prevented. 

In order to give a better understanding of the present invention, preferred 
20 exemplifying embodiments of the invention will now be described in connection with 
drawings and in reference to specific terminology. However, this is not intended to 
limit the scope of protection of the invention, because the alterations and further 
modifications to the devices and/or the method represented as well as the further 
applications of the invention which are laid out herein are considered common 
25 technical knowledge that is or will be known to a person skilled in the art. The 
figures represent exemplifying embodiments of the invention, namely: 

Figure 1 : a block wiring diagram of a system for generating and transmitting a 



key 



30 



for authenticating a service and maintenance computer; 



Figure 2: 



a control interface [or: operating surface] for requesting the key at an 
authorization server; 




Figure 3 : a block circuit diagram for the authenticating of the service and 
maintenance computer by a printer; and 

Figure 4: an output window with a test message that is outputted in the 
5 event of authorization failure. 

Figure 1 represents a system 1 0 for generating and transmitting a key 1 2 that serves 
for the authenticating of a service and maintenance computer 14 by an additional data 
processing unit of a printer which is not represented. The system 1 0 contains an 

10 authorization server 16 that is linkable with the service and maintenance computer 
over a network connection 18. The generation and transmission of the key 12 is also 
referred to as an approval [or: release, enable] procedure of the service and 
maintenance computer 14. A data connection between the service and maintenance 
computer 14 and the authorization server 16 is needed for this approval procedure, for 

1 5 instance over network 1 8 . 

The authorization server 16 generates what is known as a transaction number (TAN). 
The transaction number is a series of numbers and/or letters that a human operator 
must enter at the service and maintenance computer in order to execute the approval 
20 procedure. The transaction number generated by the authorization server 16 is sent to 
the operator by mail or e-mail. The operator is preferably a service technician from 
the printer manufacturer with a portable computer, a so-called notebook, as the 
service and maintenance computer 14. The service technician's service and 
maintenance computer 14 is referred to hereinafter as the service notebook. 

25 

After receiving the transaction number by mail or e-mail, the service technician starts 
a program module for executing the approval procedure on the service notebook 14. 
The service technician enters the transaction number by means of an interface and 
starts the approve operation. The program module detects a predetermined hardware 
30 identifier, for instance the serial number of the processor or of an adapter. A 

hardware identifier of this kind is also referred to as the fingerprint of the service 
notebook 14. The serial number and transaction number are transmitted to the 
authorization server 16 over the network connection 18. The authorization server 16 
checks the validity of the transaction number and defines an authorization level for 




the service notebook based on said number, which will subsequently determine the 
access rights of the service notebook 14 to the control units and databases of a printer 
when the notebook and printer are linked. 

5 The authorization server 16 also defines a validity date until which an authorization 
by a printer is possible with the aid of the generated key 12. A period in which a 
service notebook 14 can be approved with the aid of the transmitted transaction 
number is also defined. With the aid of the transmitted hardware identifier, validity 
date, and authorization level, the authorization server 16 generates what is known as a 
10 key 12, which contains this information in coded form and/or by means of which this 
information can at least be checked. The key 12 is transmitted over the network 18 to 
the service notebook 14 and stored in a memory area of the service notebook 14. 

An approval procedure for approving the service notebook 14 is thus implemented by 
1 5 means of the system 10. The key 12 that is stored in the service notebook 14 as a 

result of this approval procedure contains the hardware identifier, expiration date and 
access rights of the service notebook 14 in encrypted form. 

In other exemplifying embodiments, at least the hardware identifier, the expiration 
20 date, and the access rights can be checked with the aid of the key 12. In other 
exemplifying embodiments the transaction number can also be generated by a 
separate institution. The transaction number must then be sent to the service 
technician for entry into the service notebook 14 and entered into the authorization 
server 16. The network link 18 according to Figure 1 is a connection via a wide area 
25 network such as the Internet. If an Internet connection such as this is chosen, the data 
transfer occurs with the aid of a secure transmission channel. 

Alternatively, in other exemplifying embodiments a point-to-point connection, e.g. by 
means of a modem, can be transmitted [sic] over a public telephone network. In order 
30 to enhance transmission security, known encryption methods can be used for data 
transmission. Furthermore, with the aid of the system 10 a service technician can 
approve the service notebook 14 from an arbitrary location that is linkable with the 
network 18. Thus it is also possible to approve the service notebook 14 from a 
customer's telephone terminal or any other telephone terminal. 



i 



If the validity period of key 12 has expired, the service notebook 14 must be 
reapproved. Reapproval is performed according to the same procedure described for 
the first approval of the service notebook 14. 

5 

Different keys 12 are generated and delivered by the authorization server 16 for 
different notebooks at the same authorization level. However, the authorization level 
and validity period can be determined unambiguously from these different keys 12 
without the respective key 12 itself having to be known to a data processing system of 

10 the printer that checks the authenticity of the service notebook 14. As a result, it is 
not necessary to inform all printers about which of the technician's notebooks 14 and 
which other control units have authorization to access the database and/or control 
units of the respective printer. Such a service notebook 14 is linked with a printer 
locally or over a network connection 1 8 as a control unit, it being possible to read the 

1 5 printer's settings and transmit modified settings to it by means of the service notebook 
14, to operate the printer by means of the service notebook 14, and to run a diagnostic 
analysis of the printer or its assemblies by means of the service notebook 14. 

For each individual parameter the authorization level until which a read and/or write 
20 access to this setting parameter is permitted can be defined by means of the printer 
software or firmware. Write access to setting parameters is advantageously allowed 
only to users with a high authorization level. 

Figure 2 represents a control interface 20 for approving the service notebook 14. The 
25 control interface 20 is generated with the program module for approving the notebook 
14 that was started by the technician on the notebook 14 and outputted on a display 
device of the notebook 14. With the aid of this control interface 20 the operator can 
choose the type of connection to the authorization server 16. The operator can enter 
or select the network address or, if the notebook 14 is connected to the authorization 
30 server 16 over a network connection of the World Wide Web of the Internet, the 
Internet address of the authorization server 16 in an input and output field 22. 
Alternatively, a point-to-point connection of the service notebook 14 to the 
authorization server 1 6 can also be set with the aid of a selection field 24 if, for 
example, the notebook 14 and the authorization server 16 are linkable over modems 




with the aid of a telephone network. For a point-to-point connection, the operator can 
enter the required data for the setup of the point-to-point connection in the input 
region 26. These data relate in particular to a log-in name and a password for setting 
up the connection and a telephone number via which the authorization server is 
5 reachable over the telephone network. A protocol is also selectable. 

Region 26 also contains an output field in which the connection status is displayed. A 
connection over the telephone network can be established with the aid of a graphic 
button 28. An existing connection can be interrupted with the aid of the graphic 

10 button 30, and the setup and dismantling of a connection can be interrupted with the 
aid of the graphic button 32. The transaction number (TAN) that was sent is entered 
into input field 34. After inputting the transaction number, the operator can start the 
registration process at the authorization server with the aid of the graphic button 36, 
whereby the program module transmits the transaction number and the number of the 

1 5 processor of the service notebook 14 to the authorization server 16. The program 
module contains special program elements for detecting the serial numbers of the 
processor. 

As described above in connection with Figure 1 , after checking the validity of the 
20 transaction number, the authorization server 1 6 determines a key 1 2 with the aid of 
the processor's serial number and other information. After the key 12 is generated, it 
is transmitted to the notebook 14. The key 12 is stored in a dedicated memory area of 
the notebook 14. After the key 12 has been successfully transmitted to the notebook 
14, the button 38 is displayed as active that the notebook 14 has been successfully 
25 approved [sic; p. 11,1. 14]. Activating the graphic button 38 terminates the approval 
operation and ends the running of the program module for approval. 

Figure 3 is a block wiring diagram representing the authentication of the notebook 14 
by a printer 40. The notebook 14 is connected to the printer 40 over a network 
30 connection 42. As explained above in connection with Figures 1 and 2, a key 12 is 
stored in the notebook 14, which contains information about the serial number of the 
processor, the validity period of the key, and the access rights of the service notebook 
14. This information is preferably contained in the key 12 in coded form. 
Alternatively, this information can at least be checked with the aid of the key 12. 



Before the notebook 14 receives access to setting parameters and diagnostic functions 
of the printer 40, the printer 40 performs an authorization of the service notebook 14. 
To that end, a program module of the printer detects the presence of the key 12 on the 
5 service notebook 14 and the authorization level of the notebook 14 over the network 
42. 

The authorization by the printer 40 is preferably achieved through the challenge and 
response technique. The printer 40 transmits a random number to the service 

10 notebook 14. With the random number, the service notebook 14 performs a non- 

bypassable mathematical computation operation depending on the key 12. The result 
of this computation operation is transmitted to the printer 40 over the network 
connection 42. The printer 40 checks the computation result by performing a 
mathematical computation operation that leads to the same result. If the two results 

1 5 match, then authentication of the notebook 14 by the printer 40 is successful. 

As already mentioned, in the printer 40 it is specified for each setting parameter of the 
printer 40 whether users with a particular authorization level have read and/or write 
access to the value of the setting parameter. The service notebook 14 is one such 
20 user. Upon the successful authentication of the notebook 14, the printer 40 transmits 
data for generating a graphic user interface for controlling, configuring, and servicing 
the printer 40 to the notebook 14. The transmitted data are processed by the notebook 
with the aid of a browser program module. The graphic user interface preferably 
contains control interfaces, which are selectably displayed with the aid of menus. 

25 

The graphic user interface and the control interfaces are preferably designed in such a 
way that they are automatically adapted to the authorization level of the notebook 14. 
If the notebook 14 is not authorized for a read and/or write access of the setting value 
of a setting parameter based on the assigned authorization level, this setting value is 
30 not displayed or is displayed only as inactive. If the notebook 14 lacks authorization 
to execute a diagnostic function, then this diagnostic function is not offered, i.e. not 
displayed, with the control interface and/or the menu items. That way, the operating 
of the control interface at lower authorization levels is easier and more clearly 
arranged. 




With an authorization procedure such as the one described in connection with Figures 
1 to 3, it is easy to prevent accidental or intentional manipulations and incorrect 
settings of setting parameters of the printing system. It is possible for the service 
5 notebook 14 to access the printer over a direct data line on site as well as remotely 
over a network connection, e.g. over the Internet or a telephone network. That way, 
remote maintenance, remote control and remote diagnostic analysis are easy to 
perform. 

10 If the user interface for operating, configuring, and diagnostically analyzing the 

printer 40 is transmitted from the printer 40 to the notebook 1 4 over the network 42 
and displayed there with the aid of a display program module, e.g. with the aid of a 
browser, then all the notebook 1 4 requires is software for requesting and managing 
the key 12, which must be stored in a storage area or the notebook 14 in addition to its 

1 5 standard software and processed by the notebook 14. The standard software of the 
service notebook 14 comprises at least one operating system and one browser 
program module. 

The browser program module advantageously contains a Java Runtime program 
20 environment. The processing of Java Applets is very easy with the aid of this Java 
Runtime environment. With the aid of the Java Applets comprehensive operating, 
diagnostic, and configuration functions as well as a graphic user interface can be 
generated, which are outputted via the browser program module. It is not necessary to 
transmit and verify passwords. In particular, an inherent risk of such a password is 
25 that, the password may be disseminated to another technician or operator, for example 
in the event that the service technician or operator is replaced for a weekend or during 
a vacation. Often these passwords are also written down and could reach 
unauthorized parties that way also. 

30 According to the inventive authentication of the service notebook 14, the notebook 

contains all the data needed for its authentication. In the event of a substitution during 
a vacation or weekend, the notebook 14 is simply handed over to another technician 
or operator. The substitute technician or operator does not receive any information 




with which it is possible to access the printer 40 using another service notebook or 
another data processing system after returning the service notebook 14. 

Figure 4 represents an output window with a text message that is outputted on the 
5 notebook 14 in the event of unsuccessful approval and in the event of expiration of 
approval. With this text message the technician is informed that the notebook 14 is 
not approved and he has no access to service tools, diagnostic tools, or 
documentation. Using the graphic button 44, the operator can start the program 
module for approving the notebook 14, whereby the control interface represented in 
10 Figure 2 is outputted. But approval as described in connection with Figure 2 is 

possible only if the operator has a valid transaction number. If graphic button 46 is 
activated, the program module for approval is not started, and the service and 
diagnostic tools requiring an authorization level are not available to the technician at 
notebook 14, nor is service documentation. 

15 

Alternatively to the serial number of the processor, a so-called MAC address of the 
network card contained in the service notebook 14 can be used as the hardware 
identifier. The MAC address is also referred to as the Ethernet address. The MAC 
address is a worldwide unique identifier of a network adapter. It is used in layer 2 of 

20 the OSI model for addressing. The MAC address is stored in a ROM memory of the 
network adapter and cannot be modified by means of program modules of the 
notebook 14. The MAC address is six bytes long and contains the manufacturer and 
the serial number of the respective network adapter in encrypted form. The MAC 
address is readable with known program modules. The MAC address thus serves as a 

25 unique identifier of the service notebook 14. 

Furthermore, it is expedient to provide several user groups, each with an authorization 
level allocated to it. With this kind of an authentication, customer data such as 
overlays, character sets, and other resources can be protected against unauthorized 
30 reading or modification. An authorization of other internal and external operating 
units of the printer can also be performed before these units are given access to the 
setting parameters and control functions of the printer. The unauthorized operating of 
the printer 40 that can occur over a network to which the printer 40 is linked is also 
prevented this way. A cryptography technique with which information is encoded 




and decoded is preferably used, particularly an asymmetric or symmetric encryption 
technique. The key 12 can also contain a legitimation code. The key 12 is preferably 
a public key or a private key. Alternatively, a signature can be used instead of a key. 

5 Despite the representation and detailed description of preferred exemplifying 

embodiments in the drawings and the description above, these should be understood 
purely as exemplary and not as limiting the invention. It bears emphasizing that only 
the preferred exemplifying embodiments are represented and described, and 
protection is intended to extend to all alterations and further modifications that are or 
1 0 will be within the scope of the invention. 
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